ISP guilty of ‘laziest design possible’, critics allege
UPDATED Hacktivists affiliated with Anonymous are pouring over the entrails of a cyber-attack against controversial web host Epik that led onto the leak of customer data.
US-based web host and domain registrar Epik is known for offering services to sites that carry far-right and extremist content including social networks Gab and Parler (a locus of planning for the January 2021 US Capitol riots) and image board 8chan.
In early September, Epik reportedly offered services to a “whistleblower” site run by antiabortion activists based in Texas, placing it in the crosshairs of hacktivists involved in Operation Jane, the campaign against the controversial Texas Heartbeat Act.
Anonymous hacked and defaced the Epik-hosted Republican Party of Texas on September 11, following this up with an assault on Epik’s infrastructure days later.
Masses of stolen data from Epik were subsequentially released through the DDoSecrets organization.
Hacktivists boasted of releasing a “decade’s worth of data” in databases containing domain ownership records, transaction details, emails, and unsorted or at least unindexed, encryption keys among the 32GB trove of leaked data.
In response to queries from The Daily Swig, Epik said only that it was investigating the alleged breach.
In a brief statement on Wednesday, Jessica Robison, Epik’s Director of Client Services, said:
We are aware of the messages that have been posted. We take the security of our clients’ data extremely seriously, and we are investigating the allegation.
Data breach experts polled by The Daily Swig confirmed that the dump of information looked legit.
While the security shortcomings that evidentially led to a hack on its systems remain unclear, data encryption and privacy policies applied by Epik were lax, according to those revelling in the web host’s misfortunes.
An internet user offering snippets from what’s become known as the “EpikFail hack” offered The Daily Swig a run-down of the company’s operational and network security shortcomings.
At the very least, Epik is guilty of the laziest design possible. They should have segmented their user’s data across various databases, utilized multiple access credentials, and the only user they should’ve had access to that is their production application.
Instead, Epik took the easy way out. They charged their customers an additional fee to “protect their data” (via a Domain Add-On from http://Anonymize.com) and when a customer would sign up, Anonymize would assign them a UserID, which is fairly standard.
Unfortunately, Epik chose to use that UserID as the prefix for the domain’s WHOIS registration’s contact email address. Thus, providing the keys to go directly from domain name to “anonymous” domain owner with one line of code.
All these oversights were far from accidental and arose because customer protection was not part of Epik’s culture, according to the source.
“This is evident by passwords stored as plaintext and unhashed credit cards with expiration dates in the future,” they concluded.
The Daily Swig got back in touch with Epik on Friday to challenge it on its earlier statements and request an update on what it was telling its customers.
Troy Hunt updated the haveibeenpwned database to support victims of the Epik breach over the weekend, in the process offering the clearest index of the nature and extent of the breach.
The data included more than 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchase records and passwords. The data relates not only to Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers, according to Hunt.
This story was updated to add comment from breach guru Troy Hunt